remove unnecessary error categorization in nsICertOverrideService
Categories
(Core :: Security: PSM, task, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox106 | --- | fixed |
People
(Reporter: keeler, Assigned: keeler)
References
Details
(Whiteboard: [psm-assigned])
Attachments
(3 files)
Bug 1781104 - remove unused 'add override by fingerprint' API from nsICertOverrideService r?djackson
(deleted),
text/x-phabricator-request
|
Details | |
(deleted),
text/x-phabricator-request
|
Details | |
Bug 1781104 - replace error type booleans with error category in nsITransportSecurityInfo r?djackson
(deleted),
text/x-phabricator-request
|
Details |
When adding a certificate error override, all UI flows used to go through the add certificate exception dialog, which categorizes certificate errors into trust (e.g. unknown issuer), time (e.g. expired certificate), and domain (domain mismatch) errors. Now that the certificate error page in Firefox just adds the exception without showing the extra dialog, most users will never encounter this categorization. More fundamentally, it makes little sense to operate this way - the implementation essentially pins the certificate to the origin in question, so making sure that the collected errors are in the same categories as they were before adds no security.
Removing this error categorization will simplify the error handling in SSLServerCertVerification.cpp
.
Assignee | ||
Comment 1•2 years ago
|
||
rememberTemporaryValidityOverrideUsingFingerprint
is no longer used in
nsICertOverrideService
and can be removed.
Assignee | ||
Comment 2•2 years ago
|
||
Depends on D152825
Assignee | ||
Comment 3•2 years ago
|
||
Depends on D152826
Comment 5•2 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/3d4c394291dc
https://hg.mozilla.org/mozilla-central/rev/f1bc68230158
https://hg.mozilla.org/mozilla-central/rev/676e661538d4
Comment 6•2 years ago
|
||
bugherder |
Description
•